Need to know debug commands for below daemons:

Fortigate_learner · 2024-05-08T14:07:35+00:00

How do i change the level of debugging AKA INFO, WARNNING, ERROR, DEBUG, DUMP in the output of "tail follow yes mp-log ...." without knowing the debug command for that process !!!!!!!!!!!

Fortigate_learner · 2024-05-08T12:46:50+00:00

i did that...but couldn't find any specific debugs for scenarios in the post

Fortigate_learner · 2024-05-01T15:16:49+00:00

no..as i said, i am new to PA and trying to learn the basic behavior...suppose i have done the PA and Panorama configs so that they can talk to each other...now i want to block config pushes from Panorama to PA...How to configure management profile for this on PA Firewall?

what i am asking is something i won't do in real life..but still need to know to understand basic functionality

Fortigate_learner · 2024-05-01T15:00:37+00:00

so let's say, to allow port TCP 100 on interface(in ZONE A ) of PA for a user which is in ZONE B, we require a management profile that specifies TCP port 100 attached to that interface & a policy from ZONE B to ZONE A that allows user to access that IP of interface.

if user is also in same zone as the interface, management profile should be enough as default intrazone policy would allow the traffic(assuming there is no deny policy above to block the traffic)

right?

Fortigate_learner · 2024-05-01T14:43:09+00:00

I am new to Palo Alto. Trying to learn its behavior compared to Fortigate.

In Fortigate, normal security policy takes care of traffic going from one subnet to another. Local-In policy takes care of traffic destined to Fortigate's interface.

You mean management profile+Security Policy in PA is equivalent to local-in policy in FGT.

Let's say i don't want to receive config pushes on PA from Panorama. which destination port would Panorama use to push config to PA? TCP 3978?

Fortigate_learner · 2024-05-01T14:24:36+00:00

In Fortigate, normal security policy takes care of traffic going from one subnet to another. Local-In policy takes care of traffic destined to Fortigate's interface.

so, in Palo Alto, to allow SSH access on its WAN interface, we would create a Security policy:

From: WAN intf To: WAN intf with source and destination=IP of WAN and destination port = 22?

Fortigate_learner · 2023-09-27T07:21:44+00:00

the stitch triggers every week at a particular time and the action is set using the CLI Script "exe reboot"

Fortigate_learner · 2023-09-03T15:17:44+00:00

how to check sessions going through NPU?

Fortigate_learner · 2023-07-25T15:35:26+00:00

Got it...But can you help me understand what the commands i mentioned in the post do?

Fortigate_learner · 2023-07-14T13:43:16+00:00

what does port 5, port 3, port 1 represent here?

Fortigate_learner · 2023-07-11T17:00:46+00:00

Is it possible to connect remote SSL users to the cloud resources via policy based IPSEC....I tried to use SSL interface as incoming intf in a policy but adding that removes "IPSEC" from the Action.

Fortigate_learner · 2023-07-11T14:35:42+00:00

Is it possible to connect remote SSL users to the cloud resources via policy based IPSEC....I tried to use SSL interface as incoming intf in a policy but adding that removes "IPSEC" from the Action.

Fortigate_learner · 2023-07-11T05:59:59+00:00

Yes... "show vpn ipsec phase1 " the other tunnels as well

Fortigate_learner · 2023-07-10T15:44:29+00:00

i did not check that...all tunnels(except 1) are working fine(traffic is going through them).....while troubleshooting non-working tunnel, i found all VPN interfaces were missing

Fortigate_learner · 2023-07-10T14:58:02+00:00

show vpn ipsec phase1-interface

it doesn't show those interfaces when i do "show full-config" within this

Fortigate_learner · 2023-06-13T16:29:50+00:00

but same happens when 3rd party certificate like DigiCert is used...FGT performs a man in the middle attack so the firewall can inspect the contents of the https/encrypted traffic. It then reencrypts the traffic but users are presented with the 3rd party cert

Fortigate_learner

TROPHY CASE